My haproxy frontend config looks like this:
frontend testthing.com
bind :1234 ssl crt /etc/ssl/pem/mycert.pem
mode tcp
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %sslv %sslc"
option logasap
tcp-request connection expect-proxy layer4
default_backend my-backend
From a different server, I have an haproxy backend that connects to it, and does health checks:
backend testthing
mode tcp
server testthing 1.2.3.4:1234 send-proxy check ssl verify none
That backend reports that testthing
is always up, however I’m seeing the following haproxy logs on the frontend server:
Dec 14 02:47:54 my-host-a haproxy[21364]: 10.10.10.11:44748 [14/Dec/2023:02:47:54.456] testthing.com/1: Success
Dec 14 02:47:56 my-host-a haproxy[21364]: 10.10.10.11:44764 [14/Dec/2023:02:47:56.460] testthing.com/1: Success
Dec 14 02:47:58 my-host-a haproxy[21364]: 10.10.10.11:44772 [14/Dec/2023:02:47:58.463] testthing.com/1: Success
Dec 14 02:48:00 my-host-a haproxy[21364]: 10.10.10.11:57924 [14/Dec/2023:02:48:00.467] testthing.com/1: Success
Dec 14 02:48:02 my-host-a haproxy[21364]: 10.10.10.11:57928 [14/Dec/2023:02:48:02.470] testthing.com~ my-backend/<NOSRV> -1/-1/+3 +0 SC 1/1/0/0/0 0/0 TLSv1.3 TLS_AES_256_GCM_SHA384
Dec 14 02:48:04 my-host-a haproxy[21364]: 10.10.10.11:57934 [14/Dec/2023:02:48:04.476] testthing.com/1: Success
Dec 14 02:48:06 my-host-a haproxy[21364]: 10.10.10.11:57950 [14/Dec/2023:02:48:06.479] testthing.com/1: Success
Dec 14 02:48:08 my-host-a haproxy[21364]: 10.10.10.11:57952 [14/Dec/2023:02:48:08.482] testthing.com/1: SSL handshake failure
Dec 14 02:48:10 my-host-a haproxy[21364]: 10.10.10.11:47886 [14/Dec/2023:02:48:10.487] testthing.com/1: SSL handshake failure
Dec 14 02:48:12 my-host-a haproxy[21364]: 10.10.10.11:47900 [14/Dec/2023:02:48:12.491] testthing.com/1: Success
Sometimes “Success”, sometimes “SSL handshake failure”, and sometimes a log that looks like a regular connection that prints the TLS version and cipher.
Both instances of haproxy are running version 2.8.5.
When I downgrade the frontend instance of haproxy to version 1.9, I consistently get the log similar to this, for every health check:
Dec 14 02:48:02 my-host-a haproxy[21364]: 10.10.10.11:57928 [14/Dec/2023:02:48:02.470] testthing.com~ my-backend/<NOSRV> -1/-1/+3 +0 SC 1/1/0/0/0 0/0 TLSv1.3 TLS_AES_256_GCM_SHA384
What is going on here? I can link tcpdumps if that would help.
Also, I get the same result of weird logging if the send-proxy
and expect-proxy
bits are removed.